The following changes pertain to file and file system security.
The aclmode property that determines how the ACL permissions on a file are modified during a chmod operation is reintroduced in this release. The aclmode values are discard, mask, and passthrough. The discard default value is the most restrictive, and the passthrough value is the least restrictive.
For information about how to protect files and zones by using these attributes, see Examples of Setting Security-Relevant Attributes on ZFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.3.
In previous Oracle Solaris releases and in this release, the Cryptographic Framework feature provides the encrypt, decrypt, and mac commands to encrypt files.
Oracle Solaris 10 does not support ZFS encryption. However, Oracle Solaris 11 supports the following ZFS encryption features:
ZFS encryption is integrated with the ZFS command set. Like other ZFS operations, key change and rekey operations are performed online.
You can use your existing storage pools as long as they are upgraded. You have the flexibility of encrypting specific file systems.
ZFS encryption is inheritable to descendent file systems. Key management can be delegated through ZFS delegated administration.
Data is encrypted by using AES (Advanced Encryption Standard) with key lengths of 128, 192, and 256 in the CCM and GCM operation modes.
ZFS encryption uses the Cryptographic Framework feature, which gives it access to any available hardware acceleration or optimized software implementations of the encryption algorithms automatically.
The file-mac-profile property enables you to run zones with a read-only root file system. This feature enables you to choose between four predefined profiles that determine how much of a zone file system is read-only only, even for processes that have allzone privileges. See Chapter 11, Configuring and Administering Immutable Zones in Creating and Using Oracle Solaris Zones.